Kermit in the Brazilian elections

KERMIT SOFTWARE PLAYED A CRUCIAL ROLE in Brazil's general election of
October 3, 1994, almost certainly the world's largest and most complex
election ever. At stake in this country of 180 million were the
presidency, all of the 28 state governorships, two-thirds (or 56) of
the Federal Senate seats, and almost 600 Federal and 1000 State
Representatives.

To cope with this task, the Tribunal Superior Eleitoral (Superior
Electoral Court), or TSE, a specialized court of law dedicated to
supervising all elections in the country, decided to take on the
challenge of automating the process as much as possible, and to do it
with a single stroke.

Introducing automation into a nationwide election in a huge country
like Brazil, the same size as the continental USA, was fraught with
hazards and obstacles. First, long-established regional oligarchies
of conservative landowners would resist automation as a threat to
their previous control over elections; second, the state data
processing bureaus, which usually operate in the black only during
election years, would be open to automation only if the bureaus could
provide--and profit from--the automation instead of the TSE; and
finally, the TSE staff's own lack of experience and know-how could
threaten the success of the project.

Numbers

While China, the USA, Russia, and India have electorates comparable to
Brazil's, none of them ever had to cope with an election involving
such large numbers, either because their elections are conducted
differently or because their legislative and executive elections on
both the state and federal level do not coincide as they did in Brazil
in 1994.

VOTING IS MANDATORY in Brazil for everyone aged 18 to 65. 96 million
votors, starting at age 16, elect their government officials directly,
not through an electoral college as in the USA. The
widely-anticipated election involved 27 states, the Federal District,
300,000 ballot boxes, eight presidential candidates, 231 Federal
Senate candidates, 3164 candidates for seats in the Federal House of
Representatives, 7977 to a seat in one of the 600 seats in 27 states
plus the federal district; and 134 candidates for 28 governorships.
Altogether we are talking of 501,456,916 votes in the first round
alone. And all of them, checked and double-checked, were transferred
with Kermit software.

The chairman judge in charge of the TSE, Minister Sepulveda Pertence,
and the court's director-general, Alysson Mitraud, did not take these
numbers lightly. Despite the risks of failure and the uncertainty of
gaining widespread support for their decision, the two officials
decided to proceed with the automation. The single most important
factor to the venture's success was close and effective partnerships
with software and hardware vendors.

Among the software providers were Kermit developer Frank da Cruz of
Columbia University, and his collaborator, Joe Doupnik of Utah State
University, who both worked with the TSE to make everything run as
smoothly as possible.

Old-Style Elections

The Brazilian electorate has evolved since the country's first
election in the mid-19th century. At that time, only the richest
could vote. The richest men, that is -- women could not vote.
Eventually the standard for elegible voters was universalized.
This meant that every man could vote, as long as he could read and
write amd was older that 21.

Not until the early 1930s did a modified constitution give women the
right to vote. Unfortunately, a dictatorship quickly took control of
Brazil and no elections were held until after World War II. So in
fact, women voted for the first time in 1945. However, only in 1988
did the right to vote become truly universal. Gender, property,
literacy, and other excluding criteria were eliminated and the minimum
voting age was lowered to sixteen.

Brazilian elections prior to 1994 were susceptible to many different
kinds of manipulation and fraud. Most have become parts of Brazilian
folklore and have revealing names like the tip-of-the-pen vote,
where the result desired by the local landowner was simply recorded on
the document listing the tabulation of each ballot box. There was
also the lunchbox vote where the local plantation coronel[In
Brazil, originally a title of honor which could be awarded by -- or
bought from -- the federal government. Eventually the title took a
derogatory meaning when used to identify landowners, industry barons,
and other rich and powerful people who used their money and influence
to force common people and lesser politicians to do what they wanted.
When refering to elections, the term always means the rich,
influential, and conservative persons who use their power and money to
allure or coerce poor voters.] would fill out the ballots before
delivering them to the awaiting voters in a closed, or lunch,
box. Not even the voters knew who they were voting for. The term
corral vote means that the landowner kept his workers in his
own corral, like cattle, and told them who to vote for. Like cattle,
they obeyed. Not to be forgotten is the phantom vote, when the
dead arose to cast their ballots. Of course, these ghosts existed in
name only -- on their voter ID cards, their polling site signatures,
and on their tombstones.

The 1989 Election

In October of 1960, a military coup and subsequent military
dictatorships postponed Brazil's democracy and elections for 30 years.
In 1989, Brazil held its first presidential election after three
decades of opression. This was the first election after the adoption
of a new constitution in 1988, the first to have a second runoff
election for close races, the first to have television coverage, the
first to have candidates use computers to handle huge amounts of
information, and the first to broadcast live debates. And it was also
the first time the electoral courts would try their hands at
automation.

Cautiously, the TSE opted not to dive directly into automation.
Instead, they contracted state-owned data processing bureaus to do the
data entry of each state's votes. Then in Brasilia, SERPRO, the
federal data processing bureau, was contracted and regally paid to
tabulate this data. It was a timid but important first step into the
realm of automation, and there was no turning back.

New times, new ways to commit fraud. The computer introduced new
potential and real ways to manipulate election results, such as a
variation on the the tip-of-the pen scheme: simply alter the
numbers during the transcription of the official ballot box results
from paper to computer. The easiest way to do this without attracting
too much attention is to turn blank or invalidated ballots into
valid ballots.

The 1994 Election

For the 1994 election, the TSE was ready to fully accept any challenge
posed by total automation -- it wanted to take computer automation as
far as possible. This included automating the voter and candidate
registry and verification, data transfer among regional election
courts supervising the elections and tabulating stations, public
access to voting regulations, and dissemination of the results. The
only phase not automated was the tabulation of individual ballot
boxes--not surprisingly, the only phase to suffer fraud in the 1994
election, primarily in Rio.

The Electoral Network

The electoral computer network was composed of 33 HP RISC servers
whose size varies from state to state according to population. Each
machine runs HP-UX and includes both TCP/IP and X.25 networking.
TCP/IP would suffice save that the only public network available in
Brazil, RENPAC, is X.25-based. In fact, it is only the bare bones of
a network, providing no services, not even transport. So having
TCP/IP and being able to make it run on top of X.25 was a distinct
advantage. The available X.25 infrastructure permitted TSE to build a
virtual network connecting all the regional courts within just a few
weeks, embodying functionality that TCP/IP users were familiar with.

The RISC servers installed at each regional electoral court ran HP-UX,
Oracle database software (supplied by Oracle's Brazilian distributor,
UNIMIX), Gauntlet security software from TIS, and Columbia
University's C-Kermit communications software. Each machine was
responsible for tallying all state ballots, including those for state
and federal representatives and senators, and for transferring the
results of the presidential race from each tabulating station to the
Superior Electoral Court in Brasilia, and at the same time, offered
any interested party, particularly the press, all information
concerning the election, especially the numbers coming out of the
ballots boxes.

Meanwhile 3,800 Digital Equipment Corporation DECpc personal computers
with modems, special data entry software, and Columbia University's
MS-DOS Kermit software were installed at 2,000 data entry and
transmission sites in all parts of Brazil, some of them so remote that
they could only be reached by boat or small plane.

Thus Kermit software linked together the two worlds: the world outside
the network and the world inside it. In more than one sense Kermit
was the bridge connecting the external, unprotected world to the
internal, Gauntlet-protected world.

Election Day

On Election Day, the one and only day all Brazilians are equal -- they
each have one vote -- the polls are open from 8am to 5pm. Because of
the numerous races involved, the voting was conducted in two parts;
the state and federal races each had a separate ballot. First the
voter shows personal and voter identification and receives a white
ballot. Then behind a screen, the voter chooses one presidential
candidate and two federal senators, and then drops the folded ballot
into the ballot box in view of the recipient committee, which includes
common citizens as well as representatives of the political parties.
Then the voter receives a second ballot for state races, this time
yellow, and marks it behind a paper screen suspended over a counter,
folds it, and deposits it in the ballot box in front of the committee.
When the polls close, the ballot boxes are sealed and sent to the
tabulating stations, along with an official report stating the number
of people voting at that site.

The next morning, dozens of tabulating teams, under the close scrutiny
of the political parties' representatives, break open the ballot boxes
one by one and check the reported numbers of voters against the ballot
count for the box. If there are discrepancies, or if there is any
indication of tampering, the ballot box is declared invalid. If
everything checks out, the tabulation proceeds.

The white and yellow ballots are separated into two piles. First the
votes for the presidency and the federal senate are counted; then the
votes for governor and federal and state representatives. This is a
time-consuming process since each name or number has to be checked
against a long list of valid numbers, names, nicknames, etc. After
all the ballots are counted, an official statement is issued and
signed by the committee, the parties' representatives, and the judge
in charge of the regional electoral court.

Then this official statement is transcribed to the PC. This is the
point where most of the fraud occurred; blank and invalidated ballots
were transferred to a chosen candidate. Cross-checking can't
prevent this type of fraud; only an attentive monitor can spot it.
After the transcription, a computer report is printed and checked
against the original statement. If the numbers are equal, the file
can be transferred.

Enter Kermit

Once the file transfer is authorized, the file is encrypted and
compressed. Then Kermit assumes control, making decisions about how
to connect to the remote server at the TRE (Regional Electoral Court):
dial-up, TCP/IP, or an X.25 connection with or without a PAD (Packet
Assembler/Disassembler).

Once the connection is established, the TIS software, Gauntlet, sends
a challenge to the calling machine. Using her Digital Pathways'
SecureNet Keys (token generator), the user types in her PIN and
then the challenge. The generator produces a number that is sent as
an answer to the server. If all is OK, the Gauntlet firewall opens
and the file is transferred.

Once at the regional machine, the federal (white) votes are dispatched
for tabulation at the TSE, while the state (yellow) votes are
tabulated locally. Small numbers flow in, big numbers flow out. The
results of each ballot box are added to the total as they arrive. An
exact copy of each individual box's result is kept so if any fraud
eventually turns up in any ballot box, its votes can be deducted
easily from the total.

Newspapers, TV and radio stations, poll takers, and other interested
parties could access partial results using a number of methods. Here
again, TIS's Gauntlet ensured that only cleared information flows out
and no tampering is possible. And Kermit was there too, ensuring that
the information that flowed in piece by piece can now flow out in
aggregate.

Kermit's update feature allowed any user with read privileges to dial
in and download the latest numbers without tying up valuable telephone
lines unnecessarily if no updates had occurred since last time.
Kermit's flexible scripting language eliminated the end-user contact
with the file transfer mechanism: after automatically dialing, Kermit
would check whether the remote file was newer than the local one, and
transfer it only if it was. In any case the local application would
proceed. This way no file was ever transferred twice, and no user had
to control anything: Kermit took care of all this automatically.

Using Kermit's powerful scripting language, the results of each ballot
box, as well as the aggregated results, were easily transferred from
end to end--all complexities were hidden under Kermit's
well-thought-out user interface.

Why Kermit Was Chosen

Kermit was chosen to connect the PCs at the tabulating stations to the
regional courts because:

1. Columbia University's Kermit software and protocol are robust
enough to work dependably even when using the poorest telephone
lines--and in Brazil THERE ARE poor-quality telephone lines!

2. Kermit software was available for both MS-DOS and HP-UX.

3. Kermit's powerful scripting language could be used to automate
most
of the logon/transfer/logoff process. This was an important
concern since 11,000 people would be using PCs, modems, and
communication software for the first time in their lives. It
was
not realistic to expect them to understand and learn how to
transfer files.

4. Kermit can also use TCP/IP, allowing its use in different
communication environments with the same interface (and TSE
would
not be forced to teach FTP to some people and Kermit to others).

5. According to different local conditions, the line used could be
dial-up, leased, or X.25 PAD. When an X.25 PAD comes into play,
NO
PROTOCOL BUT KERMIT does the job.

6. The Kermit team could be counted on to help out if the need
arose.
And it did. TSE needed screens with messages in Portuguese so
any
Brazilian operator could understand them. Joe Doupnik and Frank
da Cruz inserted a Portuguese translation and delivered it
within a
day. Then, when the new Digital Equipment Corporation PCs
arrived,
they behaved strangely when the COMx ports were manipulated;
Digital rushed a sample PC to Joe, who quickly updated MS-DOS
Kermit for these new machines. The updated Kermit software was
transferred to Brazil using Kermit itself via long-distance
phone
call. Too good to be true. Without this instant response, all
the
election automation could have been compromised.

People may wonder why didn't the TSE try other protocols like ZMODEM,
YMODEM and akin beasts. Simple to answer in a nutshell (the long
answer has been provided above): Kermit can be used with 7- or 8-bit
lines, with leased, dial-up or PAD lines; the scripting language can
be used to automate even the most complex operation; smooth operation
in MS-DOS, MS-Windows, and HP-UX environments; and superb, unbeatable
performance in all kinds of connections and line conditions. Finally,
if anything bad happened, prompt and expert help was just a phone call
or an e-mail away.

The Results

The election was marred by widespread fraud in Rio de Janeiro. But
the automation helped detect it, allowed its extent to be assessed,
and prompted measures to avoid it in round two. The time saved by the
network was more than 75% in most states, the big exception being Rio,
where bandits blocked entry of votes into the system (where they could
not be altered) until after the ballots were forged.

But despite minor disturbances and a few major troubles, the election
was considered a huge success. President-Elect Fernando Henrique
Cardoso is recognized as a prudent person, an intellectual who has
written dozens of books and taught sociology in the USA, England,
France, and Chile. As the Economy Minister he reduced inflation from
48% per month to about 3% in less than five months. Since his
election as President, inflation has dropped to under one percent per
month, and the Real has gained value against the US dollar, which not
even the wildest dreamer could have predicted a year ago. 85% of
Brazilians are optimistic about the future and the economy is growing
by leaps and bounds.

The Future

Today Brazilians seem to be ready and eager to have the next election
in 1996 completely automated. The TSE conducted extensive studies not
only of computer technology, but also of the Brazilian public's
reactions to these new technologies to identify the right tools to
provide a fully automated election within two years. In this upcoming
election, when almost 5,000 mayors and 50,000 city representatives
will be elected, 100 million Brazilians will touch a screen, not mark
a piece of paper. There will be no transcription, therefore there
will be no fraud. Unless we come to know some new kind of
cyberfraud...

About the Author
Fernando Cabral studied Philosophy, Psychology, and Mathematics but ended up
involved with C, UNIX, and networking. Five years ago he founded PADRAO iX, a
consulting firm dedicated to connectivity and interoperability. He wears many
hats, often playing the agent provocateur among mainframers, COBOLers, and
MS-Windowers.